About Cofense
About Cofense
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

The Return of NJRat

NJRat is a remote-access Trojan that has been used for the last few years. We haven’t heard much about NJRat since April 2014, but some samples we’ve recently received show that this malware is making a comeback. ( For some background on NJRat,  a 2013 report from Fidelis Cybersecurity Solutions at General Dynamics detailed indicators, domains, and TTP’s in conjunction with cyber-attacks using NJRat.)

Using the PhishMe Reporter button, several internal users at PhishMe reported the following suspicious email (Figure 1):

File download phishing email

Figure 1 — Phishing email

Once clicked, the user is brought to a download page where they are given the option to download the file “NFSW_Car_Changer.exe” (Figure 2).

Download of .exe

Figure 2 — Download of .exe file

The executable is compiled with .NET 4.0. (Figure 3) This is worth mentioning because most of the malware today is written in C/C++.


Figure 3 — .NET reference for the malware

The biggest benefit for malware to be written in .NET is that it can be difficult to decode and see what is truly going on. While the .NET code can be decompiled back to the original code (not 100%, but closer than most), regular analysis techniques can throw off analysis, as the code is different. This is why we often have to rely on dynamic analysis, or just double-clicking the file, for .NET analysis

Once the malware runs, it copies itself to %temp%/explorer.exe and begins to attempt connections with zunigle.ddns[d]net. The current resolution for this IP address is 193.180.164[d]235 (Figure 4).


Figure 4 — Screenshot of DNS query for NJRat

Once established, the malware attempts to send different pieces of information to the end user. (Figure 5) For NJRat, the traffic is typically encoded with base64, and can be decoded right from command line (Figure 6). This includes the campaign code as well as windows that were clicked during analysis.


Figure 5 — Traffic being sent to attackers


Figure 6 — Decoded base64 information from NJRat

The IP address appears to be part of VPN infrastructure. Based off of the analysis from the Fidelis article, the VPN infrastructure and no-IP dynamic DNS matches up very well. VPN references also match up with one of the two NJRat Facebook pages:


Figure 7 — NJRat Facebook page


Figure 8 — NJRat Facebook page

The malware can be found here: